Loom Terms & Policies
Data Processing Addendum
This Data Processing Addendum (“DPA”) supplements and is incorporated into Loom's Terms of Service or other agreement between Customer and Loom governing Customer’s use of and access to the Services (“Agreement”). Capitalized terms used below that are not otherwise defined have the meanings given to them in the Agreement.
1.1 Scope of DPA. This DPA applies to Loom’s processing of Personal Data to provide the Services to Customer pursuant to the Agreement.
1.2 Processor. The parties agree that Loom acts as a processor under Data Protection Law and/or service provider under CCPA for Customer in providing the Services to Customer.
1.3 Processing Activities. The subject matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, and categories of data subjects are described in Exhibit A.
2. Processing of Personal Data
2.1 Loom Obligations. Loom will:
(a) process Personal Data only on documented instructions from Customer, including transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law to which Loom is subject, in which a case Loom will inform Customer of the legal requirement before processing, unless prohibited by law;
(b) ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) implement appropriate technical and organizational measures, including Loom's Security Measures, designed to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed and to ensure a level of security appropriate to the risk;
(d) respect the conditions for engaging other processors as required by applicable Data Protection Law and set forth in Section 4 below;
(e) taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, to the extent possible, to enable Customer to fulfill its legal obligations as a controller to respond to requests for exercising data subject rights pursuant to applicable Data Protection Law;
(f) taking into account the nature of processing and the information available to Loom, assist Customer in ensuring compliance with its legal obligations pursuant to applicable Data Protection Law regarding (i) security of processing, (ii) notification of and communication of Security Incidents, (iii) data protection impact assessments, and (iv) prior consultation with the applicable supervisory authority;
(g) at Customer’s choice, delete or return all Personal Data to Customer after the end of the provision of the Services, and delete existing copies unless applicable law requires storage of Personal Data;
(h) make available to Customer all information necessary to demonstrate compliance with its obligations under applicable Data Protection Law and allow for and assist with audits in accordance with Section 6 below, in each case at Customer’s expense; and
(i) inform Customer if, in its opinion, an instruction infringes applicable Data Protection Law.
2.2 Customer Instructions. Customer instructs Loom to process Personal Data as documented in this DPA and the Agreement, and as otherwise necessary to provide the Services to Customer. Customer’s instructions to Loom for the processing of Personal Data will comply with all applicable laws, including Data Protection Laws.
2.3 Controller Authorization. If Customer is a processor, Customer warrants to Loom that Customer’s instructions and actions with respect to Personal Data, including its appointment of Loom as a subprocessor, have been authorized by the relevant controller.
3. Data Transfers
3.1 Customer Authorization. Customer authorizes Loom to perform Data Transfers: (a) to any country subject to an adequacy determination by the European Commission; (b) pursuant to the Standard Contractual Clauses; or (c) any other legally valid data transfer mechanism. The Standard Contractual Clauses will only apply for Data Transfers to a country not recognized as having an adequate level of data protection if there is no other legally valid data transfer mechanism.
3.2 Data Privacy Framework. Loom has certified to the EU-US, UK Extension to the EU-US, and Swiss-US Data Privacy Frameworks (collectively, “DPF”). Loom’s DPF certification is available here and Loom’s DPF Notice is available here. Customer authorizes Loom to perform Data Transfers to the US based on Loom’s DPF certification. The parties agree that the DPF is the primary mechanism for Data Transfers to the US. If Loom withdraws from the DPF, the DPF is invalidated, or otherwise Personal Data cannot be lawfully received based on the DPF, the Standard Contractual Clauses in Section 3.3. and the UK Addendum in Section 3.4. shall automatically apply, as applicable.
3.3 Standard Contractual Clauses. For Data Transfers out of the European Economic Area, Switzerland, or the United Kingdom pursuant to the Standard Contractual Clauses: (a) the Controller-to-Processor Clauses will apply where Customer acts as a controller of Personal Data; and (b) the Processor-to-Processor Clauses will apply where Customer acts as a processor of Personal Data, and Customer will fulfill any obligations Loom may have to Customer’s controller(s) as a processor.
3.4 UK Addendum. For Data Transfers out of the United Kingdom, the UK Addendum will also apply.
4.1 General Authorization. Customer hereby grants Loom general authorization to engage Subprocessors, subject to the terms of this DPA and the Agreement. Loom uses the Subprocessors listed at loom.com/privacy to provide the Services and will notify Customer of any intended changes concerning the addition or replacement of a Subprocessor via the mechanism listed on that page. If Customer provides a reasonable written objection to a new Subprocessor within 10 days of receiving notice, and Loom chooses not to suggest an alternative, Customer may terminate the Agreement after 30 days’ notice to Loom.
4.2 Subprocessor Requirements. Prior to the engagement of a Subprocessor, Loom will enter into a written agreement with the Subprocessor containing at least the same data protection obligations as those set out in this DPA, including providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of applicable Data Protection Law. If a Subprocessor fails to fulfill its data protection obligations, Loom will be liable to Customer for the performance of that Subprocessor’s obligations.
5. Security Incidents
5.1 Security Incident Notification. Upon becoming aware of a Security Incident, Loom will notify Customer without undue delay and promptly take reasonable steps to minimize harm and secure Personal Data.
5.2 Notification Description. To the extent possible, notification to Customer will describe the nature of the Security Incident, the likely consequences of the Security Incident, and the measures taken or proposed to be taken to address the Security Incident. Loom’s notification of or response to a Security Incident will not be construed as an acknowledgement by Loom of any fault or liability with respect to the incident.
6.1 Customer Audit. Upon Customer’s prior written request and subject to the confidentiality obligations, Loom will allow Customer or an independent third-party auditor that is not a competitor of Loom to access information or inspect Loom’s procedures relevant to the protection of Customer Data in order to audit Loom’s compliance with this DPA.
6.2 Process for Inspections. Inspections may be conducted no more than once per year and only in a manner that does not interfere with Loom’s normal business operations. Customer and Loom will mutually agree upon the scope, timing, and duration of the inspection, and Customer will reimburse Loom for reasonable fees associated with time spent on the inspection. Any deficiencies or reports created based on such access or inspection must be promptly shared with Loom and will be Loom’s Confidential Information.
7. CCPA Certification
Loom will not:
(a) sell Customer personal information;
(b) retain, use, or disclose any Customer personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing Customer personal information for a commercial purpose other than providing the Service; or
(c) retain, use, or disclose Customer personal information outside of the direct business relationship between Customer and Loom.
This DPA is subject to the terms of the Agreement, including without limitation, those regarding dispute resolution, limitation of liability, and termination. If any of the provisions of this DPA conflict with the provisions of the Agreement, the provisions of this DPA will prevail.
“CCPA” means the California Consumer Privacy Act of 2018 and any legislation or regulation that amends, replaces, or re-enacts it.
“Controller-to-Processor Clauses” means the standard contractual clauses between controllers and processors approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available here.
“Data Protection Law” means (a) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data effective 25 May 2018 (the General Data Protection Regulation) and any legislation or regulation that amends, replaces, or re-enacts it; and (b) any other applicable data protection law or regulation of the European Union or the European Economic Area and their member states, Switzerland, and the United Kingdom.
“Data Transfer” means any transfer or onward transfer of Customer Personal Data out of the European Economic Area, Switzerland, or the United Kingdom to another country.
“Personal Data” means personal data contained in Customer Data that is subject to applicable Data Protection Law or the CCPA.
“Processor-to-Processor Clauses” means the standard contractual clauses between processors approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available here.
“Security Incident” means a breach of Loom’s Security Measures causing the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Loom;
“Standard Contractual Clauses” means the Controller-to-Processor Clauses or the Processor-to-Processor Clauses, as applicable and as may be updated from time to time to the extent required by Data Protection Law.
“Subprocessor” means a third party engaged by Loom to processes Personal Data in order to provide parts of the Services under the Agreement.
“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0, in force on March 21, 2022, issued by the UK Information Commissioner’s Office under Section 119A(1) of the Data Protection Act 2018, available here.
The terms “controller”, “processor”, “data subject”, “personal data,” “processing" and “appropriate technical and organizational measures” have the meanings provided in applicable Data Protection Laws.
The terms “business”, “commercial purpose”, “service provider”, “sell” and “personal information” have the meanings provided in the CCPA.
Subject Matter of Processing
The subject matter of the processing is the Personal Data submitted to the Services by Customer pursuant to the Agreement.
Duration of Processing
The processing will continue until the expiration or termination of the Agreement, or as otherwise determined by Customer by deleting Personal Data from its account.
Nature and Purpose of Processing
Processing by Loom to provide the Services to Customer pursuant to the Agreement.
Types of Personal Data
Personal Data provided to Loom by Customer or its Authorized Users, including:
- Name, email address, and other account data;
- Video, audio, transcript data, and comments containing Personal Data;
- Transaction logs for transactions conducted by users using the Service;
- Information about the hardware and software used to access the Service;
- Information and analytics about use of the Service;
- Employee authentication information, such as user ID and department information;
- Other Personal Data uploaded or submitted by Customer or Authorized Users to the Services.
Categories of Data Subjects
Employees and other Authorized Users of Customer and any other individual whose Personal Data is uploaded or submitted by Customer or Authorized Users to the Services.